CNR No Password Installs Verified

[dann]

I verified that once you have click and run installed, you do not need to supply a password to install software through CNR. I ran a test and then check out their forums with a person from China questioned this process:

http://community.cnr.com/thread/1015?tstart=0

Here is the quote from who I believe is the forum admin:

The setuid bit is turned on so that the CNR client runs as affectively root. This is done so that any user can install/unisntall/update software on a machine. We thought these activities are useful enough to warrant the use of setuid.

To quote the setuid folks, "In some cases these privileges are insufficient to do useful things, for example if the user had the ability to write to the /etc/passwd file they could alter or remove all users passwords - but without access to it they cannot change their own password!"

This continues to concern me. How come Ubuntu gets around the above issues without having to setuid? I still think this is poor security. This means that anyone on the system has the ability to install software as root through the CNR system. This makes my skin crawl.

Oh, and I don't see plugin for firefox so I guess it uses the mime type stuff in Gnome or your desktop manager.

[Tsuroerusu]

I still think this is poor security. This means that anyone on the system has the ability to install software as root through the CNR system. This makes my skin crawl.

Linspire has a long history of having some of the worst security in the GNU/Linux world, so this doesn't surprise me at all!
Originally they ran the system as root by default, then they made the user not create a non-privileged by default, arguing that "Oh my god if we did that we would be like Microsoft and forcing people to do stuff with what they purchased and then small children would cry". I say bullshit to that, because the users of the market they are aiming for, are the stupid people who'll gladly install every porn dialer, and every piece of spyware in the world on their Windows systems. These people need to be told "THIS IS BAD SECURITY, YOU SHOULD DO THIS!", because that's reality. And now they make CNR not require a password once installed ........ I could throw in a slew of Theo de Raadt quotes that would demonstrate by feelings about this, but I'd rather not risk offending anybody!

[snarkout]

I've said this dozens of times before, but I think security is the incorrect word for the problem with this model. Basically, password prompting for root-level access doesn't work, and we know that - people will click "yes" on whatever the hell pops up on the screen just to make the window go away, if for no other reason. There is no way to secure a person's computer against their own actions.

What's left is data integrity, and this is what most users actually care about. No one who brings their box into our shop freaks out that they have been spewing shit onto the internet for months, they freak out about their stolen mp3 collection, their pr0n, their work documents, and their pics of their children. I have yet to see or hear a single person feel remorseful for being an attack vector for a long time.

So, what is this new paradigm? It's certainly not security, at least by today's standard definition. Security can be loosely defined as defense against other people or their bots. To use the shitty "house" comparison, it's security when you have bars on the doors so crooks can't get in, it's security when you have your vast fortune inside a badass safe, and it's security when a smoke alarm gets you and your family out of your house before your house burns down. There isn't much that can be done to keep you from driving a bulldozer into your living room or dropping a wrecking ball on your roof. And let's be serious for a second - while I don't run X as root, I do generally have at least one root console session open - all it takes for my little ones to totally trash my machine is an up arrow or two and some unfortunate stroke of fate in which keys they hit.

So, while I certainly agree it's stupid to run X as root unless you really, really need to, I don't really classify it as a security risk, more like a property damage risk.

[dann]

To extend your shitty house example; CNR is like buying a smart refridgerator that will order your desired food for you and have it delivered. Only, it allows you 8 year old freely purchase all the junk food she wants and then unlocks the back door.

We can debate whether this a security problem or an education problem. I see your point, but I think it's both. A person might find CNR a great utility. In my brief usage and research on the site it never once said to me that it would allow anyone on logged into the system to install software as root.

As a security concern, what happens when someone other than Linspire attempts to exploit the click and run system? It does not seem like it would be that difficult to do. Provide a link to a click and run app infected with a trojan of some sort and bam! You've exploited the system and put all the users's data in jeopardy.

[RandyNose]

To extend your shitty house example; CNR is like buying a smart refridgerator that will order your desired food for you and have it delivered. Only, it allows you 8 year old freely purchase all the junk food she wants and then unlocks the back door.

We can debate whether this a security problem or an education problem. I see your point, but I think it's both. A person might find CNR a great utility. In my brief usage and research on the site it never once said to me that it would allow anyone on logged into the system to install software as root.

As a security concern, what happens when someone other than Linspire attempts to exploit the click and run system? It does not seem like it would be that difficult to do. Provide a link to a click and run app infected with a trojan of some sort and bam! You've exploited the system and put all the users's data in jeopardy.

Well, Linspire is trying to make the move from Windows to Linux as simple and initially painless as they can, and from their actions with their software, it would look like thats what they are doing. Is it good? Maybe for the short term. But don't MANY people still think of their computer as a toaster, rather then a complex machine that could become part of a BOT net. You can also, or at least when I looked at it about 8 months ago, you can also CNR an Anti-Virus program.

With Vista having tighter security, and more people being prompted, more, I think that a move to Ubuntu or Fedora might be a little more palatable.... If Linspre users, take note that Fedora or SLAK etc, users aren't getting into problems, the move from
Linspire to a more secure operating platform might be a simpler move??

Dunno.

Most People will only care when it affects them.

With Wal-Mart selling Linux boxes, maybe we will see a positive surge. It could also kick back badly, if to many people have a bad experience.